Cloud

Your Files are in the Cloud, so Why Isn’t Your Security?

Cloud technology has been embraced wholeheartedly by businesses, but security is slow to follow. Lucy Ingham catches up with Rick McElroy, security strategist at Carbon Black, to find out why businesses have been slow to switch and how cloud security is progressing

Over the past decade, the cloud has become the hottest term in business, with everyone from major corporations to SMEs making use of the technology. However, security has not always been keeping pace, with many businesses continuing to use localised solutions despite the rest of their operations – and thus, their data – being cloud-based.

“I talk to a lot of CSOs and some are hesitant to look at the cloud,” says Rick McElroy, security strategist at cloud security provider Carbon Black. “What I say to them is: where's your data? And generally it's going to be in Azure, or Office 365, Google Docs, maybe they're using Dropbox or all of these other things.”

Generally the fear around using cloud-based security stems from the idea that it is more risky than traditional solutions. After all, the cloud is associated with many of the most high-profile breaches in recent years. However McElroy argues that this is not the case.

“When you really boil the risk down, you say well look, my data already exists in the cloud. I don't have visibility into it,” he says.

“If I deploy security solutions that give me visibility into where my data's at that looks at attacks, for me the trade-off is worth it because the benefits outweigh the risks.”

Beyond company boundaries: the benefits of cloud security

When it comes to the benefits of cloud security, companies such as Carbon Black are able to provide organisations with greater threat and attack response intelligence than could be achieved with their data alone.

This is because products such as Carbon Black’s Predictive Security Cloud pool the intelligence gleaned from all their customers’ data and share it with all the organisations they cover.

“This is the idea that you can record all of the right information, apply great analytics on top of that with a feedback loop for all the customers that are in that system, so that an attack against one of them really protects all of them at the same time,” explains McElroy.

This requires a certain number of customers to work, however Carbon Black operates at a scale where this provides genuine and valuable insight to its customers.

“We've got thousands of customers and hundreds of thousands of streams coming to our cloud everyday,” he says.

“An attack against one of company protects all of them at the same time.”

Perhaps more significantly, cloud security frees up operational costs associated with traditional security, as McElroy discovered when he assisted several enterprises with their transition to the cloud.

“I was able to see what the CIO got out of it, what the business got out of it. We were delivering features faster, our uptime was higher, our costs were cheaper,” he says.

“Well, security is expensive. Those are all things that I need, right?”

This also frees up security professionals to focus on threat detection and prevention rather than maintaining weighty infrastructure.

“What happened in security is we all built infrastructure. And now my team of engineers and threat hunters are maintaining my infrastructure, they're not going to find evil and take the bad guys out,” he says.

Making the case for cloud security

Cloud security is a relatively young product sector, meaning vendors have to work hard to make the case to would-be customers. And this is a particularly significant challenge in the generally conservative security sector.

“I think most security professionals are going to be slow to adopt any new tech. There'll be like the 1% that's like: 'Yeah the next thing, I'm going to go get it and try it'. And then there's the rest of the market, which is like: 'Hey when Apple and Google do it, then we'll do it’,” says McElroy.

However, with support from a number of thought-leaders in the space, cloud security adoption is starting to grow.

“I think what you're starting to see is the leaders out there went to the cloud, they're out talking about the benefits and then everybody else is going to start to follow,” he says.

“The leaders out there went to the cloud, they're out talking about the benefits and then everybody else is going to start to follow.”

But where vendors such as Carbon Black are having to do the most work in convincing companies is with SMEs.

“We spend an inordinate amount of time educating the largest amount of security professionals out there: SME,” he says.

“It's very hard for them because they don't have big teams to go build threat hunters and security operation centres. And so it's really empowering them with the right platforms to get the right data to make their jobs easier, not just give a bunch of data that they can't take action on.”

The future cloud

While there are mature cloud security technologies available today, the technology has by no means stopped progressing, meaning that as time goes on, it will become increasingly sophisticated.

“I think most vendors out there are fairly new to the cloud security game, so you are going to see all kinds of things in the future,” he says. “You'll see further leveraging of machine learning (ML) and AI.

“When you have a cloud like that then it's pretty easy to build new features on the backend and then deliver those out to customers on a regular basis.

“So I think you'll see everything from better analytics, better threat intel to organisations out there that are applying ML and AI.”

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang